Solved: Need help in extracting branch numbers from event ...

labaningombam · ‎08-01-2022

I have a field called RenderedMessage in event log which has the following text

Task finished: TaskID 1 for branch 6000

I have been given the task to alert in an email all the branches that has the tasked finished.

In my search, I am able to get the events for this task as

index=prod | spath RenderedMessage | search RenderedMessage="*Task finished: ColleagueNextWeekTask*"

How shall I extract only the branch values from this events/message? I need only the 6000 from this.

Thank you.

richgalloway · ‎08-01-2022

Use the rex command to extract a field from another field (including _raw).

| rex field=RenderedMessage "branch (?<branch>\d+)"

---
If this reply helps you, Karma would be appreciated.

View solution in original post

labaningombam · ‎08-01-2022

Thank you so much, @richgalloway It works. Is there a way I can display only the branch after this command without showing count. I can display it with

| stats count by branch

richgalloway · ‎08-01-2022

The table command can do that.

| table branch

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎08-01-2022

Use the rex command to extract a field from another field (including _raw).

| rex field=RenderedMessage "branch (?<branch>\d+)"

---
If this reply helps you, Karma would be appreciated.

Need help in extracting branch numbers from event message

field extraction

regex

rex

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout